Hi,
I need help specifying a TIME_FORMAT in my props.conf file
My Log file (OS=Windows) contains date-times like these:
1 - 9/22/2010 23:36:33 PM - CC Housekeeping : Leaving Log All Manual Intervention Pending Payments
1 - 9/22/2010 23:36:33 PM - CC Housekeeping : Leaving ExportBatch
2 - 9/22/2010 23:36:33 PM - CC Housekeeping : Disconnecting from database
1 - 9/22/2010 23:36:33 PM - CC Housekeeping : Mediator has finished main processing
1 - 9/22/2010 23:36:33 PM - CC Housekeeping : Call to Shutdown on objects made
5 - 9/23/2010 0:05:30 AM - CC Housekeeping : Starting Mediator with Debug Mode of : Proc...
1 - 9/23/2010 0:05:30 AM - CC Housekeeping : Test Mediator
1 - 9/23/2010 0:05:30 AM - CC Housekeeping : Performance Monitor Counters added
Splunk (OS = Windows) interprets properly the 23 (11 PM) rows, but does not recognize this (0:05:30 AM) as (00:05:30 AM).
Sadly, it interprets those times as (05:30:00 AM), five thirty in the morning, instead of zero hours, 5 minutes, 30 seconds.
I believe i need to define a TIME_FORMAT stanza in my props.conf file but I do not know how to sepcify the hour portion of this format.
Is this correct? %m/%d/%Y %k:%M:%S %p
How can I specify that the hours are not preceded by a leading zero?
Hours in my log file range like this:
0:mm:ss AM mm minutes after midnight
1:mm:ss AM one in the morning
9:mm:ss AM nine in the morning
11:59:59 AM almost noon
12:00:01 PM one second afternoon
14:06:02 PM two hours 6 minutes 2 seconds in the afternoon.
23:59:59 PM almost midnight.
Thanks in advance,
Marcelo Finkielsztein
... View more